URL-Phish: A Feature-Engineered Dataset for Phishing Detection
Description
This dataset, named URL-Phish, is designed for phishing detection research. It contains 111,660 unique URLs divided into: • 100,000 benign samples (label = 0), collected from trusted sources including educational (.edu), governmental (.gov), and top-ranked domains. The benign dataset was obtained from the Research Organization Registry [1]. • 11,660 phishing samples (label = 1), obtained from the PhishTank repository [2] between November 2024 and September 2025. Each URL entry was automatically processed to extract 22 lexical and structural features, such as URL length, domain length, number of subdomains, digit ratio, entropy, and HTTPS usage. In addition, three reference columns (url, dom, tld) are preserved for interpretability. One label column is included (0 = benign, 1 = phishing). A data cleaning step removed duplicates and empty entries, followed by normalization of features to ensure consistency. The dataset is provided in CSV format, with 22 numerical feature columns, 3 string reference columns, and 1 label column (total = 26 columns). References [1] Research Organization Registry, “ROR Data.” Zenodo, Sept. 22, 2025. doi: 10.5281/ZENODO.6347574. [2] PhishTank, “PhishTank: Join the fight against phishing.” [Online]. Available: https://phishtank.org
Files
Steps to reproduce
• Collect benign URLs from the Zenodo ROR dataset [1] and phishing URLs from the PhishTank repository [2]. • Remove duplicates and empty entries. • Extract 25 lexical and structural features (e.g., URL length, domain length, digit ratio, entropy, HTTPS usage). • Normalize feature values to ensure consistency. • Assign binary labels (0 = benign, 1 = phishing). Notes • The columns url, dom, and tld are preserved for reference and interpretability but not used directly for model training. • The main feature set used in experiments consists of 22 numerical features plus the label column.